Cyber Security Begins Abroad
The Russian Foreign Intelligence Service’s compromise of U.S. company SolarWinds and a variety of other information technology infrastructures has been described as “the greatest cyber intrusion, perhaps, in the history of the world.” According to the Biden administration, the hack gave the Russians the ability to compromise or disrupt potentially 16,000 computer systems worldwide, enabling collection of vast amounts of information from federal departments and agencies, private companies, and other victims.
On April 15, the Biden administration outlined its response. The White House formally attributed the campaign to the Russian Foreign Intelligence Service, expelled Russian diplomats from the United States, imposed sanctions on six Russian technology companies that support the intelligence service’s cyber operations, and issued a new directive imposing sovereign debt sanctions on Russia. The administration’s actions were impressive in terms of their scope, drawing on many U.S. response options simultaneously.
While the most newsworthy aspects of Washington’s response to Russia was featured in the first two-thirds of the April 15 statement, the last section outlined important steps that will guide America’s international cyber policy for years to come. The Biden administration explained that it would be “supporting a global cybersecurity approach” through international capacity-building projects focused on enhancing understanding of the “policy and technical aspects of publicly attributing cyber incidents” and the provision of training to foreign partners on the applicability of international law in cyberspace. This effort highlights an often overlooked element of U.S. national security and cyberspace policy: Improved cyber security around the world and improved capacity to identify and hold accountable malign actors in cyberspace make the Internet safe for American users and everyone else. When the United States helps its international partners improve their own cyber security, the benefits reverberate across cyberspace.
For the United States, working with foreign governments to make the internet a more secure place is not just a diplomatic opportunity. It should be a key national security priority. International capacity building is particularly critical in cyberspace because threats from hackers, cyber criminals, and hostile intelligence services originate from all over the world. In addition, ensuring the resiliency of cyberspace on a global scale is imperative in countering China’s growing digital footprint and influence.
As staff of the Cyberspace Solarium Commission, we were tasked with examining all tools of statecraft that contribute to defending the United States from cyber attacks. Not only is it often (unwisely) passed over as a security priority, but current capacity-building infrastructure is inadequate, largely due to outdated legal authorities and processes that insufficiently meet the demands of modern diplomacy and security issues. International cyber security capacity building has a clear and direct benefit for U.S. national security. Congress is currently poised to make major changes to cyberspace policy at the State Department. As it does so, legislators would be wise to ensure that the department has sufficient funding, flexibility, and agility to build global cyber capacity around the globe by creating a fund specifically for cyber capacity building and corresponding authorities to provide emergency assistance.
Capacity Building as a National Security Priority
Capacity-building programs are vehicles for investing strategically in the international community. With respect to cyber security, such programs generally focus on improving national capacity to effectively deliver cyber security (referred to as “cyber maturity”) and equipping foreign governments with the resources and expertise essential to prevent, detect, withstand, and recover from cyber attacks. In particular, capacity building can help countries build national strategies for enhanced cyber security, collaborate and share information with the private sector on cyber risk management, revise criminal laws and procedures to mitigate cyber crime, bolster incident response and recovery capabilities, advance national cyber security awareness, and grow national cyber security workforces.
Multilateral efforts in the capacity-building arena are well established and supported by U.N. groups and other organizations alike. In particular, the Global Forum on Cyber Expertise has emerged as a leader via its role as a resource clearinghouse. Apart from these multilateral efforts, several states have pursued bilateral or regional cyber capacity-building initiatives. For example, the Australian government has specifically focused on the Indo-Pacific region in its efforts and works with partners across sectors to strengthen cyber security among its neighbors.
Cyber security capacity building serves U.S. national security interests in three ways. First, enabling foreign governments to undertake actions like responding rapidly and effectively to cyber security incidents or tamping down cyber crime makes all of cyberspace a safer place. The United States is not unique in recognizing this. For example, the Canadian government has clearly articulated the linkages between national security and international capacity: “The security of Canada is linked to that of other states. … When foreign states lack these resources, it can put the security of Canadians and Canadian interests at risk, both at home and abroad.” In this sense, cyber security capacity building is a straightforward example of a rising tide lifting all boats.
Second, stronger partners make better partners in countering malign behavior in cyberspace. For example, the United States and Ukraine have worked together for years on cyber security issues, including promoting “legal and regulatory reform, cyber workforce development, and private sector engagement.” Given the countries’ longstanding tradition of partnership on law enforcement investigations, not to mention Ukraine’s unique local cyber security environment, the United States directly strengthens its own security by ensuring that Ukraine is a highly capable cyber security partner. Equipping partner and allied nations with resources for cyber capacity building ensures that beneficiaries are protected from the coercive influence of cyber attacks and enabled to respond effectively. The strength of U.S. partners also helps expand the capacity for enforcing rules of responsible state behavior in cyberspace, promoting collaboration among states that share the U.S. vision for an open, interoperable, reliable, and secure internet. For example, foreign governments must have the independent capability to identify and analyze a cyber attack rapidly in order to engage in the growing trend of issuing a joint attribution and response. This joint enforcement minimizes the burdens any single state faces in holding accountable those who violate rules of responsible state behavior and encourages stability in cyberspace by reinforcing cyber security norms. Projects focused on enhancing joint enforcement and reinforcing cyber norms were precisely those that the Biden administration pledged to support in response to Russian malicious cyber activity, which focused on expanding attribution capacity and providing training regarding the applicability of international law in cyberspace.
Efforts to bolster foreign cyber capacity are distinct from military support for foreign partners in furtherance of “hunt forward” operations. In hunt forward operations, the U.S. military deploys to other countries to counter threats on foreign networks in partnership with those countries’ militaries. Capacity-building efforts that strengthen the overall cyber maturity of partner nations can pick up where these efforts leave off, promoting resilience and civilian cyber security without direct engagement of U.S. military personnel. Moreover, these military programs are distinct from incident response teams, whose primary role is to assist victims in the immediate aftermath of a cyber attack. The United States needs different tools for different problems. Capacity-building programs are broader in scope and go even further than existing military programs in strengthening the ability of partners to prevent, withstand, and respond to cyber attacks.
Finally, the national security value of capacity building also implicates efforts to counter China’s growing investment and influence in the digital infrastructure of countries in the Global South. As countries scramble to keep pace with the digital age, some governments may not have the economic resources to be picky about a source of technical assistance, and the cheapest technology is not always the best suited for promoting open societies. A report from the German Marshall Fund cites as an example, “After installing Huawei 4G equipment, video surveillance software, and facial recognition technology, Kenya, Tanzania, Vietnam, and Zimbabwe have to varying degrees seen the adoption of draconian cybercrime laws restricting Internet freedom and clamping down on speech against the government.”
Through projects like the Belt and Road Initiative and the Digital Silk Road, leaders in Beijing have found opportunities to both tap into a global customer base for their goods and spur the uptake of technology that aligns with state policy objectives. To give a sense of scale, in 2018, for the second year in a row, investment in African information and communications technology development projects from China alone eclipsed funding from the Infrastructure Consortium for Africa, the organization that combines the efforts of G8 countries and other governments with multilateral efforts like those of the World Bank and the African Development Bank.
U.S. capacity building — and cyber diplomacy generally — can and should counter growing influence from the Chinese government in the countries that have been dubbed the “digital deciders” (e.g., Brazil, India, Mexico, and Indonesia). The choices of these actors will have a critical impact on global technology governance and the balance of states that favor an open, global digital infrastructure that protects rights like privacy versus those that favor a closed, sovereign version that enables human rights abuses. U.S. national security reaps very tangible benefits from ensuring that the United States, alongside its partners and allies, is the first and trusted source for cybersecurity expertise, particularly as authoritarian adversaries like the Chinese government compete to influence the future of the internet. Bolstering cyber security capacity enables the United States to advance a free, open, and interoperable Internet and insulates beneficiary nations from Beijing’s efforts to project power abroad through infrastructure projects.
What Congress Can Do
Congress should create a new capacity-building fund dedicated to cyber security with the authority to provide assistance to countries of all income levels, in all parts of the world, especially during times of crisis. Despite the importance of capacity building as a national security priority, the legal authorities that enable U.S. cyber capacity building are inflexible and slow, often cobbled together from programs that were designed for Cold War-era diplomacy. These tools are insufficient to enable the United States — led by the State Department — to support foreign partners working to mature their cyber security systems, much less to meet the needs of partner and allied nations during times of crisis. Without specifically dedicated funds, cyber security is forced to compete with a variety of other foreign assistance priorities.
Existing frameworks for distributing aid make it difficult for the United States to support the cyber priorities of certain countries. These difficulties relate to the way foreign governments structure oversight of their cyber security policy and strategy, and to foreign assistance eligibility criteria that are tied to country income level or geographic location.
In the first case, the difficulty stems from otherwise practical limitations like those in the legislation authorizing the Economic Support Fund — one of the primary vehicles through which the State Department can fund foreign assistance projects. The law stipulates that the Economic Support Fund may not be used for “military or paramilitary purposes.” While this is important for ensuring the United States does not fund the development of offensive cyber operations programs in foreign countries, it hamstrings America’s ability to help countries bolster their civilian cyber security when such programs are overseen by military organizations. Colombia, for example, runs its national computer emergency response team through its Ministry of Defense, as does Latvia, and in Spain, the function sits under the national intelligence agency.
In the second case, the difficulty stems from the eligibility requirements associated with the use of certain foreign assistance funds. Congress should consider expanding criteria for cyber security capacity-building programs to allow for the provision of aid to middle-income countries, irrespective of geography. Some funds, like those earmarked for the Assistance to Europe, Eurasia, and Central Asia Fund, are limited to a particular geographic region. Other funds are generally aimed at providing assistance to low- and lower middle-income countries, which is an important means of ensuring that foreign aid is channeled to those countries in greatest need of support. When it comes to cyber security, however, some strategically important countries do not meet these criteria. Singapore, Taiwan, Indonesia, and Thailand, for example, are all considered upper-middle-income economies or high-income economies by the World Bank, but both private companies and government entities have been the target of economically and geopolitically motivated attacks, some of which have been attributed to Chinese groups. As currently structured, existing authorities can make it slow and bureaucratic to get funding to countries such as these, but given the region’s strategic importance, there are occasions when doing so may be both critical and time-sensitive.
A specific account dedicated to cyber security could allow Congress to ensure that all foreign assistance priorities — including cyber security — receive sufficient funding and resources. The March 2020 report of the U.S. Cyberspace Solarium Commission, a congressionally mandated body examining cyberspace policy, specifically recommended legislative action to untangle this issue. Both of the problems highlighted above speak to the short-term priority for strengthening U.S. abilities to build cyber security capacity: building flexible, consolidated funds for cyber security to overcome competing priorities for foreign assistance. Though funds can be cobbled together from the alphabet soup of foreign assistance funds, the absence of a designated fund means that cyber security competes with priorities like bolstering democracy and the rule of law, encouraging the development of free markets, or building peace in conflict-ridden regions. Additionally, a distinct fund would allow for the development of flexible eligibility criteria that are specifically tailored to strategic cyber-related objectives.
Existing U.S. capacity-building programs also face challenges related to agility and are inadequately positioned within broader efforts to counter Beijing’s growing influence abroad. Foreign assistance moves slowly. Capacity-building programs are aimed at boosting the cyber maturity of partner and allied nations, a process that can take years, if not decades. And even countries with the most mature cyber capabilities are not immune to crisis. When such crises arrive, it may be critical for the United States to move money immediately to aid with incident response and remediation. Congress should ask the State Department to review — in consultation with other federal departments and agencies — the process of delivering foreign aid in times of crisis and how the process for cyber security capacity building can be streamlined or expedited during exigent circumstances so that the State Department can support foreign partners when they need it most. Such assistance would be similar to the rapid humanitarian and disaster relief aid that the State Department and USAID distribute during times of crisis.
Additionally, departments and agencies with responsibility for allocating foreign assistance and implementing capacity-building projects should think about how these projects and programs fit into broader U.S. efforts to counter Beijing’s influence and investment in the Global South. In the face of such a concerted effort, the United States needs a careful, thoughtful strategy, connecting capacity-building efforts with diplomacy, law enforcement, private sector engagement, and more. The Cyber Diplomacy Act’s proposed Bureau of International Cyberspace Policy would be an ideal place for some of this coordination to take place.
Beyond the geopolitical issue of China, the Bureau of International Cyberspace Policy is an important place to align capacity-building efforts with broader cyber diplomacy goals addressing competing models of internet governance. Similarly, improved coordination at the White House level via the new office of the national cyber director can help align international capacity-building efforts across U.S. government agencies. In addition to the State Department’s work, the Department of Homeland Security is planning an international cyber security capacity-building “sprint.” Meanwhile, the Cybersecurity and Infrastructure Security Agency launched an international strategy, CISA Global, which aims also to support the State Department’s work with international partners on capacity building.
When it comes to international capability in cyberspace, U.S. civilian agencies should take the lead. While the Defense Department has a huge role to play in keeping the country safe in cyberspace, U.S. diplomats are better positioned to advance U.S. cyber security interests in foreign capitals. Ensuring that all tools of international engagement — including military, diplomatic, and foreign assistance — are aligned is imperative to strengthening the credibility of America’s actions in cyberspace, and the Bureau of International Cyberspace Policy is a good focal point for that coordination within the State Department.
The Biden administration’s emphasis on capacity building in response to Russian malicious cyber activity is an important reminder that, in cyberspace, America’s safety is wound up with that of the rest of the world. As Congress works to improve the government’s structure for engaging internationally on cyber security, it should ensure that the State Department has the authority to provide aid in a timely and concerted fashion. By doing its part to help partners and allies, the United States can take a crucial step in building a resilient cyberspace and protecting vital U.S. interests.
Natalie Thompson is a research analyst with the U.S. Cyberspace Solarium Commission. Previously, she was a research assistant and James C. Gaither Junior Fellow at the Carnegie Endowment for International Peace, working with the Technology and International Affairs Program on projects related to disinformation and cybersecurity. She tweets at @natalierthom.
Zoe Peach-Riley is a research intern with the U.S. Cyberspace Solarium Commission. She is a current student at the University of Southern California, where she is pursuing a major in intelligence & cyber-operations.
Laura Bate is a senior director with the U.S. Cyberspace Solarium Commission and a 2021 Next Generation National Security Fellow with the Center for a New American Security. Previously, she was a policy analyst with New America’s Cybersecurity Initiative and remains an International Security Program Fellow. She tweets at @Laura_K_Bate.
Image: State Department